Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 13:29
Static task
static1
Behavioral task
behavioral1
Sample
efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe
Resource
win7-20230220-en
General
-
Target
efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe
-
Size
382KB
-
MD5
0b210149771c6be2ed5b6b35a5cce602
-
SHA1
0eb97fd3876ad888b1a9c6eae468ff607a3cf6d3
-
SHA256
efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c
-
SHA512
82d1871482bd12cbfa280faaafb1714ad52f6eed816584503583a3d6954e121c019c31f1414dd7c0ca23b081e63f8cf79e6b9766b7ad814aa3f6bb90fac29799
-
SSDEEP
6144:De/8LygqoByTolrDZkS/C12BZphqoLZ4PUyym3wVLvuVNG23BO:DQ8WgWopZkmCkZphqo2PUyB3wRGV42
Malware Config
Extracted
gcleaner
45.139.105.171
85.31.46.167
107.182.129.235
171.22.30.106
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3152 3164 WerFault.exe efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe 3864 3164 WerFault.exe efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe 4480 3164 WerFault.exe efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe 3484 3164 WerFault.exe efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe 2964 3164 WerFault.exe efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe 2700 3164 WerFault.exe efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe 400 3164 WerFault.exe efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1768 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1768 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.execmd.exedescription pid process target process PID 3164 wrote to memory of 1332 3164 efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe cmd.exe PID 3164 wrote to memory of 1332 3164 efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe cmd.exe PID 3164 wrote to memory of 1332 3164 efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe cmd.exe PID 1332 wrote to memory of 1768 1332 cmd.exe taskkill.exe PID 1332 wrote to memory of 1768 1332 cmd.exe taskkill.exe PID 1332 wrote to memory of 1768 1332 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe"C:\Users\Admin\AppData\Local\Temp\efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 7322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 7362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 7402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 7802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 7802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 9162⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 7242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3164 -ip 31641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3164 -ip 31641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3164 -ip 31641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3164 -ip 31641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3164 -ip 31641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3164 -ip 31641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3164 -ip 31641⤵